# 権限上々↑↑(仮)
<img src="https://i.imgur.com/xYVCwi8.jpg" width="50%">
ODCP参考
![](https://i.imgur.com/AMHEClg.png)
仮目次
- Intro
- Windowsのセキュリティ座学
- SID
- おそらくアカウント系
- Integrity
- Low/Medium/High/SYSTEM
- Service
- Access Token
- Privilege (SeXXX)
- Primary(User)/Impersonation Token
- Anonymous/Identification/Impersonation/Delegation
- SeImpersonatePrivilege
- 権限(Privilege)
- UAC基礎
- 演習、ツールハンズオン
- UACME
- Potatoシリーズ
- https://jlajara.gitlab.io/Potatoes_Windows_Privesc
- PrintSpoofer (from Service to SYSTEM)
- https://github.com/itm4n/PrintSpoofer
- https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/
## Enumeration
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
- whoami /priv
## UAC
- UAC
- UACの仕組み
- https://learn.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works
- https://milestone-of-se.nesuke.com/sv-basic/windows-basic/user-access-control/
- AutoElevate
- https://www.microsoftpressstore.com/articles/article.aspx?p=2228450&seqNum=9
- https://gist.github.com/TheWover/b5a340b1cac68156306866ff24e5934c
- UAC 有効/無効の確認
- https://book.hacktricks.xyz/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control
- UAC bypass
- https://github.com/hfiref0x/UACME
- https://blogs.quickheal.com/uac-bypass-using-cmstp/
- https://www.elastic.co/jp/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies
- https://fuzzysecurity.com/tutorials/27.html
- DLLハイジャック
- https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
- https://www.greyhathacker.net/?p=796
- https://cqureacademy.com/cqure-labs/cqlabs-how-uac-bypass-methods-really-work-by-adrian-denkiewicz
- レジストリキー
- https://swapcontext.blogspot.com/2020/10/uacme-35-wd-and-ways-of-mitigation.html
- https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/
```
Author: winscripting.blog
Type: Shell API
Method: Registry key manipulation
Target(s): \system32\fodhelper.exe
Component(s): Attacker defined
Implementation: ucmMsSettingsDelegateExecuteMethod
Works from: Windows 10 TH1 (10240)
Fixed in: unfixed 🙈
How: -
```
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- COMインターフェース
- https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
- https://422926799.github.io/posts/70084607.html
https://gist.github.com/hfiref0x/196af729106b780db1c73428b5a5d68d
- COMAutoApprovalList
- https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html
- UAC Bypass in the wild
- 実例紹介(画像参照)
- UAC Bypass Lab
- まだ決めてないけどなにかコード解説と実際にやってみる
## token
- https://blog.nflabs.jp/entry/2021/12/20/094644
- https://www.elastic.co/jp/blog/introduction-to-windows-tokens-for-security-practitioners
- https://www.elastic.co/jp/blog/how-attackers-abuse-access-token-manipulation
- https://i.blackhat.com/USA-20/Thursday/us-20-Burgess-Detecting-Access-Token-Manipulation.pdf
- https://www.youtube.com/watch?v=QRpfvmMbDMg
- https://www.cnblogs.com/wh4am1/p/12844441.html
-
## ツール
- https://github.com/sailay1996/SpoolTrigger
- https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS
- https://jlajara.gitlab.io/Potatoes_Windows_Privesc
- https://github.com/hfiref0x/UACME
- https://github.com/m0nad/awesome-privilege-escalation
- windows-internals-guide/security
- https://github.com/windows-internals-guide/security
# Ref
## 200
### 18.2.1
特権
1(Microsoft, 2018), https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx
Access Tokens
2(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens ↩︎
セキュリティ識別子
3(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/secauthz/security-identifiers ↩︎
LSA 認証
4(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/secauthn/lsa-authentication ↩︎
Windows Integrity Mechanism
5(Microsoft, 2007), https://msdn.microsoft.com/en-us/library/bb625957.aspx ↩︎
Windows Integrity Mechanism Design
6(Microsoft, 2007), https://msdn.microsoft.com/en-us/library/bb625963.aspx ↩︎
セキュリティ保護可能なオブジェクト
7(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/secauthz/securable-objects ↩︎
8(Wikipedia, 2019), https://en.wikipedia.org/wiki/Sandbox_(software_development)
### 18.2.2
1 User Account Control
(Microsoft, 2017), https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview ↩︎
2 ユーザー アカウント制御
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works ↩︎
3
(Microsoft, 2017), https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/start-process?view=powershell-6 ↩︎
4
(Microsoft, 2017), https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami ↩︎
### 18.2.3
1
(Winscripting.blog, 2017), https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ ↩︎ ↩︎
2
(Pentestlab, 2017), https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/ ↩︎
3
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/sysinfo/structure-of-the-registry ↩︎ ↩︎
4
(Microsoft, 2019), https://msdn.microsoft.com/en-us/library/windows/desktop/aa374191(v=vs.85).aspx ↩︎
5
(Microsoft, 2019), https://docs.microsoft.com/en-us/sysinternals/ ↩︎
6
(Microsoft, 2010), https://msdn.microsoft.com/en-us/library/bb756929.aspx ↩︎
7
(Microsoft, 2016), https://technet.microsoft.com/en-us/library/2009.07.uac.aspx ↩︎
8
(Microsoft, 2019), https://docs.microsoft.com/en-us/sysinternals/downloads/procmon ↩︎
9
(Mitre, 2019), https://attack.mitre.org/techniques/T1038/ ↩︎
10
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/sysinfo/hkey-classes-root-key ↩︎
11
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/shell/launch ↩︎
12
(Eric Law, 2011), https://blogs.msdn.microsoft.com/ieinternals/2011/07/13/understanding-protocols/ ↩︎
13
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/com/the-component-object-model ↩︎
14
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/api/shellapi/nf-shellapi-shellexecuteexa ↩︎
15
(Microsoft, 2017), https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-add ↩︎
### 18.2.4
N/A
### 18.2.5
1
(Microsoft, 2019), https://docs.microsoft.com/en-us/windows/win32/secauthz/well-known-sids ↩︎
2
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls ↩︎
3
(Microsoft, 2017), https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems ↩︎
4
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls#remarks ↩︎
5
(Gjoko Krstic, 2017), https://www.exploit-db.com/exploits/41959/ ↩︎
6
(Microsoft, 2016), https://docs.microsoft.com/en-us/cpp/c-runtime-library/reference/system-wsystem?view=vs-2019 ↩︎
7
(Wikipedia, 2019), https://en.wikipedia.org/wiki/Cross_compiler ↩︎
8
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmic ↩︎
9
(Microsoft, 2019), https://docs.microsoft.com/en-us/windows/win32/secauthz/privilege-constants ↩︎
### 18.2.6
N/A
### 18.2.7
1
(Andrew Freeborn, 2016), https://www.tenable.com/sc-report-templates/microsoft-windows-unquoted-service-path-vulnerability ↩︎
2
(Microsoft, 2018), https://support.microsoft.com/en-us/help/102739/long-filenames-or-paths-with-spaces-require-quotation-marks ↩︎
### 18.2.8
1
(Wikipedia, 2019), https://en.wikipedia.org/wiki/Blue_Screen_of_Death ↩︎
2
(Parvez Anwar, 2017), https://www.exploit-db.com/exploits/41542/ ↩︎
3
(Microsoft, 2017), https://docs.microsoft.com/en-us/windows-hardware/drivers/install/overview-of-inf-files ↩︎
4
(Mingw-w64, 2019), https://mingw-w64.org/doku.php ↩︎
5
(GCC, 2019), https://gcc.gnu.org/onlinedocs/gcc/Warnings-and-Errors.html ↩︎
6
(Microsoft, 2018), https://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx ↩︎
## 300
### 12.2.1
1
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control ↩︎
2
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/secauthz/privileges ↩︎
3
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works ↩︎
4
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokenprivileges ↩︎
5
(Microsoft, 2017), https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown ↩︎
6
(Microsoft, 2018), https://docs.microsoft.com/en-gb/windows/win32/api/ntsecapi/nf-ntsecapi-lsaaddaccountrights ↩︎
7
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings ↩︎
8
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens ↩︎
9
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/secauthz/impersonation-tokens ↩︎
10
(James Forshaw, 2015), https://www.slideshare.net/Shakacon/social-engineering-the-windows-kernel-by-james-forshaw ↩︎
11
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/com/delegation-and-impersonation ↩︎
## 12.2.2
1
(Bryan Alexander, Steve Breen, 2017), https://foxglovesecurity.com/2017/08/25/abusing-token-privileges-for-windows-local-privilege-escalation/ ↩︎
2
(Wikipedia, 2020), https://en.wikipedia.org/wiki/Handle_(computing) ↩︎
3
(Microsoft, 2020), https://docs.microsoft.com/en-us/windows/win32/services/localservice-account ↩︎
4
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetokenex ↩︎
5
(@itm4n, 2020), https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/ ↩︎
6
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/ipc/pipes ↩︎
7
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/ipc/interprocess-communications ↩︎
8
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/ipc/anonymous-pipes ↩︎
9
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipes ↩︎
10
(@harmj0y, 2017), https://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-trusts/ ↩︎
11
(Microsoft, 2019), https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-prsod/7262f540-dd18-46a3-b645-8ea9b59753dc ↩︎
12
(Micorosft, 2018), https://docs.microsoft.com/en-us/windows/win32/api/namedpipeapi/nf-namedpipeapi-impersonatenamedpipeclient ↩︎
13
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea ↩︎
14
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/api/namedpipeapi/nf-namedpipeapi-connectnamedpipe ↩︎
15
(Microsoft, 2018), https://docs.microsoft.com/en-gb/windows/win32/api/winbase/nf-winbase-waitnamedpipea ↩︎
16
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openthreadtoken ↩︎
17
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-gettokeninformation ↩︎
18
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/api/sddl/nf-sddl-convertsidtostringsidw ↩︎
19
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-getcurrentthread ↩︎
20
(Microsoft, 2018), https://docs.microsoft.com/en-gb/windows/win32/secauthz/access-rights-for-access-token-objects ↩︎
21
(Microsoft, 2018), https://docs.microsoft.com/en-gb/windows/win32/api/winnt/ne-winnt-token_information_class ↩︎
22
(Microsoft, 2020), https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.marshal.allochglobal?view=netcore-3.1 ↩︎
23
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/ns-ntifs-_token_user ↩︎
24
(Microsoft, 2020), https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.marshal.ptrtostructure?view=netcore-3.1 ↩︎
25
(Microsoft, 2020), https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.marshal.ptrtostringauto?view=netcore-3.1 ↩︎
26
(Microsoft, 2019), https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1 ↩︎
27
(Microsoft, 2019), https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/989357e2-446e-4872-bb38-1dce21e1313f ↩︎
28
(Microsoft, 2019), https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b8b414d9-f1cd-4191-bb6b-87d09ab2fd83 ↩︎
29
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/api/rpcndr/nf-rpcndr-ndrclientcall2 ↩︎
30
(Lee Christensen, 2018), https://github.com/leechristensen/SpoolSample ↩︎
31
(Vincent Le Toux, 2018), https://github.com/vletoux/SpoolerScanner ↩︎
32
(Microsoft, 2018), https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats ↩︎
33
(Microsoft, 2020), https://docs.microsoft.com/en-us/windows/win32/secauthz/well-known-sids ↩︎
34
(Microsoft, 2020), https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw ↩︎
35
(Microsoft, 2018), https://docs.microsoft.com/en-gb/windows/win32/api/winnt/ne-winnt-security_impersonation_level ↩︎
36
(Microsoft, 2018), https://docs.microsoft.com/en-gb/windows/win32/api/winnt/ne-winnt-token_type ↩︎
37
(Microsoft, 2018), https://docs.microsoft.com/en-gb/windows/win32/api/processthreadsapi/ns-processthreadsapi-startupinfoa ↩︎
38
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-process_information ↩︎
39
(Clément Labro, 2020), https://github.com/itm4n/PrintSpoofer ↩︎
40
(Alex Ionescu, 2020), https://windows-internals.com/faxing-your-way-to-system/ ↩︎
41
(Microsoft, 2009), https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc787851(v=ws.10)?redirectedfrom=MSDN ↩︎
42
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/com/component-object-model--com--portal ↩︎
43
(@decoder_it, 2020), https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/ ↩︎
44
(@decoder_it, 2019), https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/ ↩︎
45
(Microsoft, 2018), https://docs.microsoft.com/en-us/windows/win32/winrm/portal ↩︎
## 12.2.3
1
(Rapid7, 2015), https://github.com/rapid7/meterpreter/blob/master/source/extensions/incognito/incognito.c ↩︎
2
(Microsoft, 2020), https://docs.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser ↩︎